Merge branch 'main' into fix/issue10501

Author: mcanouil

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -29,31 +29,29 @@ body:
         You can share a Quarto document using the following syntax, _i.e._, using more backticks than you have in your document (usually four ` ```` `).
         For example with Quarto CLI >=1.5:
 
-        `````md
-        ````qmd
-        ---
-        title: "Reproducible Quarto Document"
-        format: html
-        engine: jupyter
-        ---
-
-        This is a reproducible Quarto document using `format: html`.
-        It is written in Markdown and contains embedded Python code.
-        When you run the code, it will produce a message.
-
-        ```{python}
-        print("Hello, world!")
-        ```
-
-        ![An image]({{< placeholder 600 400 >}}){#fig-placeholder}
-
-        {{< lipsum 1 >}}
-
-        A reference to @fig-placeholder.
-
-        The end.
-        ````
-        `````
+            ````qmd
+            ---
+            title: "Reproducible Quarto Document"
+            format: html
+            engine: jupyter
+            ---
+            
+            This is a reproducible Quarto document using `format: html`.
+            It is written in Markdown and contains embedded Python code.
+            When you run the code, it will produce a message.
+            
+            ```{python}
+            print("Hello, world!")
+            ```
+            
+            ![An image]({{< placeholder 600 400 >}}){#fig-placeholder}
+            
+            {{< lipsum 1 >}}
+            
+            A reference to @fig-placeholder.
+            
+            The end.
+            ````
 
   - type: textarea
     attributes:

.github/actions/cache-typst/action.yml

@@ -1,10 +1,24 @@
-name: "Cache Typst package"
+name: "Restore any Typst package cache"
 description: "Configures the caching for Typst packages"
+outputs:
+  cache-hit:
+    description: "Was a cache found with primary key ?"
+    value: ${{ steps.cache-typst-restore.outputs.cache-hit }}
+  cache-primary-key:
+    description: "Key of the cache to find and save"
+    value: ${{ steps.cache-typst-restore.outputs.cache-primary-key }}
+  cache-matched-key:
+    description: "Key of the cache found and used."
+    value: ${{ steps.cache-typst-restore.outputs.cache-primary-key }}
+  cache-path:
+    description: "where is the packages cache for typst ?"
+    value: ${{ steps.cache-typst-path.outputs.TYPST_CACHE }}
 
 runs:
   using: "composite"
   steps:
     - name: Typst Cache path
+      id: cache-typst-path
       run: |
         case $RUNNER_OS in
           "Linux")
@@ -21,13 +35,14 @@ runs:
               exit 1
               ;;
         esac
+        echo "TYPST_CACHE=${TYPST_CACHE}" >> $GITHUB_OUTPUT
       shell: bash
 
     - name: Cache Typst package folder
-      uses: actions/cache@v4
+      id: cache-typst-restore
+      uses: actions/cache/restore@v4
       with:
         path: ${{ env.TYPST_CACHE }}
-        key: ${{ runner.os }}-typst-1-${{ github.run_id }}
+        key: ${{ runner.os }}-typst-1
         restore-keys: |
-          ${{ runner.os }}-typst-1-
-        save-always: true
+          ${{ runner.os }}-typst-

.github/pull_request_template.md

@@ -24,4 +24,7 @@ I have (if applicable):
 
 - [ ] filed a [contributor agreement](https://github.com/quarto-dev/quarto-cli/blob/main/CONTRIBUTING.md).
 - [ ] referenced the GitHub issue this PR closes
-- [ ] updated the appropriate changelog
+- [ ] updated the appropriate changelog in the PR
+- [ ] ensured the present test suite passes
+- [ ] added new tests
+- [ ] created a separate documentation PR in [Quarto's website repo](https://github.com/quarto-dev/quarto-web/) and linked it to this PR

.github/workflows/actions/quarto-dev/action.yml

@@ -42,10 +42,28 @@ runs:
           echo "Unexpected package/dist/share path detected: $(quarto --paths)"
           Exit 1 
         }
-        If ( "$(git status --porcelain)" -ne "" ) {
-          echo "Uncommitted changes detected:"
-          git status --porcelain
-          Exit 1 
+        # check if configure is modifying some files as it should not
+        $modifiedFiles = git diff --name-only
+        If ($modifiedFiles -ne "") {
+
+          # Convert the list to an array
+          $modifiedFilesArray = $modifiedFiles -split "`n" | ForEach-Object { $_.Trim() }
+
+          If ($modifiedFilesArray -contains "tests/uv.lock") {
+            Write-Output "::warning::test/uv.lock has been modified."
+            $modifiedFilesArray = $modifiedFilesArray | Where-Object { $_ -notmatch "uv.lock" }
+          }
+
+          # Count the number of modified files
+          $modifiedFilesCount = $modifiedFilesArray.Count
+
+          If ($modifiedFilesCount -ge 1) {
+            Write-Output "::error::Uncommitted changes detected."
+            foreach ($file in $modifiedFilesArray) {
+              Write-Output $file
+            }
+            Exit 1
+          }
         }
 
     - name: Quarto Check

.github/workflows/actions/sign-files/action.yml

@@ -0,0 +1,97 @@
+name: "Signing file"
+description: "Install and configure the environment to then do the signing of files."
+inputs:
+  paths:
+    description: "Paths to sign"
+    required: true
+  signtools-extra-args:
+    description: "Additionnal arguments to pass to signtool"
+outputs:
+  cert_path:
+    description: "certificate path"
+    value: ${{ steps.setup-cert.outputs.SM_CLIENT_CERT_FILE }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup for SMCTL authentication
+      id: setup-cert
+      shell: pwsh
+      run: |
+        Write-Output "::group::Check for required environment variable"
+        if (-not $env:SM_CLIENT_CERT_FILE_B64) {
+          Write-Output "::error title=Environment Variable Error::SM_CLIENT_CERT_FILE_B64 is not set"
+          exit 1
+        } else {
+          Write-Output "SM_CLIENT_CERT_FILE_B64 is set correctly"
+        }
+        Write-Output "::endgroup::" 
+        Write-Output "::group::Retrieve client certificate for auth"
+        if (!(Test-Path ".\.build\certificates\codesign.pfx")) {
+          # Get certificates
+          New-Item -ItemType Directory -Force -Path .\.build\certificates
+          Set-Content -Path ".\.build\certificates\codesign.txt" -Value $env:SM_CLIENT_CERT_FILE_B64
+          & certutil -decode ".\.build\certificates\codesign.txt" ".\.build\certificates\codesign.pfx"
+        } else {
+          Write-Output "Certificate already exists"
+        }
+        # Configure environment for next step
+        "SM_CLIENT_CERT_FILE=.\.build\certificates\codesign.pfx" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+        Write-Output "::endgroup::"
+
+    - name: Install SMCTL
+      shell: pwsh
+      run: |
+        Write-Output "::group::Install smctl if needed"
+        if (!(Get-Command smctl -ErrorAction SilentlyContinue)) {
+          curl -o smtools-windows-x64.msi "https://rstudio-buildtools.s3.amazonaws.com/posit-dev/smtools-windows-x64.msi"
+          msiexec /i smtools-windows-x64.msi /quiet /qn /log smtools-windows-x64.log
+          "C:/Program Files/DigiCert/DigiCert One Signing Manager Tools" | Out-File -FilePath $env:GITHUB_PATH -Append
+          Write-Output "SMCTL installed and added on PATH"
+        } else {
+          Write-Output "SMCTL already installed and on PATH"
+        }
+        Write-Output "::endgroup::" 
+        Write-Output "::group::Add signtools in PATH"
+        if (!(Get-Command signtool -ErrorAction SilentlyContinue)) {
+          "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" | Out-File -FilePath $env:GITHUB_PATH -Append
+          Write-Output "signtool added on PATH"
+        } else {
+          Write-Output "signtool already installed and on PATH"
+        }
+        Write-Output "::endgroup::"
+
+    - name: Sign files with signtool
+      shell: pwsh
+      env:
+        SM_CLIENT_CERT_FILE: ${{ steps.setup-cert.outputs.SM_CLIENT_CERT_FILE }}
+      run: |
+        Write-Output "::group::Check for required environment variables"
+        $requiredEnvVars = @('SM_HOST', 'SM_API_KEY', 'SM_CLIENT_CERT_FILE', 'SM_CLIENT_CERT_PASSWORD', 'CERT_FINGERPRINT')
+        foreach ($envVar in $requiredEnvVars) {
+          if (-not $(Get-Item -Path "Env:$envVar" -ErrorAction SilentlyContinue)) {
+            Write-Output "::error title=Missing environment variable::Environment variable $envVar is not set."
+            exit 1
+          }
+          Write-Output "All env var correctly set."
+        }
+        Write-Output "::endgroup::"
+        Write-Output "::group::Sync certificates"
+        smctl windows certsync
+        Write-Output "::endgroup::"
+        # Sign each file that will be bundled in the installer
+        $paths = "${{ inputs.paths }}" -split "`n" | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" }
+        foreach ($path in $paths) {
+          Write-Output "::group::Signing ${path}"
+          signtool.exe sign /sha1 $env:CERT_FINGERPRINT /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ inputs.signtools-extra-args }} $path
+          if ($LASTEXITCODE -ne 0) {
+            Write-Output "::error title=Signing error::Error while signing ${path}"
+            exit 1
+          }
+          signtool.exe verify /v /pa $path
+          if ($LASTEXITCODE -ne 0) {
+            Write-Output "::error title=Verify signature error::Error while verifying ${path}"
+            exit 1
+          }
+          Write-Output "::endgroup::"
+        }